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Japanese Patent Application Public-disclosure No. 7-325785 
Japanese Patent Application Public-disclosure date: December 
12, 1995 

Title of the invention : Method for authenticating a network user, 
encrypted communication method, application client and server 
Japanese Patent Application No. 6-121093 
Japanese Patent Application date: June 2, 1994 
Applicant: Fujitsu Ltd. 

Inventors: Hiroaki Kikuchi and Yasutsugu Kuroda 

[Means for solving the problems] 

Fig. 1 is a diagram illustrating a principle of the present 
invention. 

Invention of Claim 1: In a network application system 
wherein client C transmits user identifier ID and password PW 
to server S, which verifies by referring to a file that the 
corresponding ID and PW actually exist, thereby authenticating 
the user, the client C encrypts the user identifier IDand password 
PW with public key Kp of the server S according to a public key 
system, and sends the encrypted ID and PW to the server S, and 
the server S decrypts the ID and PW using their own secret key 
Ks to extract user ID' and password PW' . 

Invention of Claim 2: In the invention of Claim 1, the 
server S sends random number R to the client C at the beginning 
of authentication, and the client C encrypts the user identifier 
ID, password PW and received random number R with the public 
key Kp and transmits the encrypted ID, PW and R to the server 
S, which verifies, by comparing decrypted random number R' 
against the random number R, that the decrypted, random number 
R' is truly the previously transmitted random number R. 

[Embodiment] 

Hereafter, an embodiment of the present invention will 



be described with reference to the attached drawings. Fig. 2 
is a schematic diagram illustrating a server and client of the 
embodiment of the present invention. 

An application system consists of: hardware comprising 
a terminal as a client (workstation, personal computer or the 
like) and a computer as a server (general purpose machine, 
workstation, personal computer or the like), the terminal and 
the computer being coupled via a network; client program CP to 
be executed by the client; and server program SP to be executed 
by the server. There are often multiple server programs SP (and 
client programs CP) , which may be stored in different hardware 
(different computers) or in the same hardware. Hereafter, 
hardware and (a) client program (s) and hardware and (a) server 
program (s) will be respectively considered as a single unit for 
each application and referred to as client C and server S 
respectively. Each user has his (her) own user identifier ID 
and password PW. 

The client C comprises : a communicationprocessing section 
14 for controlling communications between networks; a user 
interface (input section) 18; a public key system encryption 
processing section 11 for encrypting authentication information 
(user identifier ID and password PW or the like) ; a public key 
database for managing public keys Kp corresponding to secret 
keys Ks of servers S (applicable when there are multiple servers 
S, which is not depicted in the drawing) ; a public key storage 
section 12 for storing extracted public key Kp; a random number 
storage section ,13 for storing random number R received from 
the server S; a service execution section for executing requested 
service (not indicated in the drawing) ; a session key generation 
section 16 for generating a session key SK; a session key storage 
section 17 for storing a session key SK; a secret key system 
encryption/decryption processing section 15 for 
encrypting/decrypting a session; and a centralized control 
section (which is not indicated in the drawing) for controlling 
the entire system. 

The server S comprises : a communication processing section 



24 for controlling communications between networks; a public 
key system decryption processing section 21 for decrypting 
authentication information; a secret key storage section 22 for 
storing a secret key Ks; a random number generation means 26 
for generating a random number R to be sent to the client C; 
a random number storage section 23 for storing a random number 
R; a random number checking section 2 9 for comparing the random 
number R against a received and decrypted random number R' ; an 
ID/PW file 30 for managing all users' user identifiers IDs and 
passwords PWs; a password checking section 28; a service 
execution section for executing requested service (not indicated 
in the drawing) ; a secret key system encryption/decryption 
processing section 25 for encrypting/decrypting a session; and 
a centralized control section (not indicated in the drawing) 
for controlling the entire system. 

As an encryption system; a publicly known system can be 
employed. For example, a public key system encryption RSA may 
be employed to encrypt authentication information and a CFB64 
application mode of a secret key system encryption DES may be 
employed to encrypt a session. 

Hereafter, an operation procedure will be described by 
means of the protocol schematic diagram in Fig. 3. 
Step 1: The client C transmits an authentication request to the 
server S. 

Step 2: The server S generates a random number R and sends the 
random number R back to the client C. 

Step 3 : The client C randomly generates a session key SK, encrypts 
the session key SK together with ID, PW and random number R sent 
from the server S by the public key Kp of the server S , and transmit s 
them. to the server S. 

Step 4 : The server S decrypts the received encrypted data using 
their own secret key Ks and extracts user identifier ID' and 
password PW . 

Step 5: The server S checks to see whether R' is identical to 
the random number R sent at Step 2 and whether ID' and PW are 



registered in the internal database and notifies the client C 
of the result. 

The above-described procedure from Step 1 through Step 
5 is an authentication procedure and if it is verified at Step 
5 that R' is identical to R and that ID' and PW are registered, 
the operation proceeds to the next step for "session". 

[Brief explanation of the drawings] 
Fig. 1 is a principle diagram. 

Fig. 2 is a schematic diagram illustrating a constitution 
of an embodiment of the present invention. 

Fig. 3 is a diagram illustrating a protocol of the 
embodiment of the present invention. 

[Description of referential symbols] 

ID, ID' : user identifier 

PW, PW : password 

R, R' : random number 

Kp: public key 

Ks : secret key 

SK: session key 

C: client 

S: server 

11: public key system encryption processing section 
12: secret key storage section 
13: random number storage section 
14: communication processing section 

15: secret key system encryption/decryption processing section 

16: session key generation section 

17: session key storage section 

18: user interface section 

21: public key system 

22: secret key storage section 

23: random number storage section 

24: communication processing section 

25: secret key system encryption/decryption processing section 



t 



26: random number generation section 

27: session key storage section 

28: password checking section 

29: random number checking section 

30: ID/PW file 
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